Prepare For The Hosted Riva SSO Provider For Salesforce

  • Updated
WARNING: The Riva for Salesforce Single Sign-On connection strategy described in this article is not supported for new Riva On-Premise installations.

New Riva On-Premise installations include a new strategy to provide impersonation access into Salesforce: the Standard Impersonation Model. For instructions on implementing the Standard Impersonation Model, see Prepare Salesforce for Riva and Create and test a Salesforce connection.

For current Riva On-Premise installations that use Salesforce Single Sign-On, administrators are encouraged to upgrade their Riva for Salesforce connection setup to the Standard Impersonation Model. For assistance, contact the Riva Success Team.

The procedures in the following article have been deprecated. The information is being retained for clients who have not yet converted to the new Standard Impersonation Model.


Riva offers a no-cost Riva Single Sign-on (SSO) Provider service hosted "in the cloud". This hosted SSO Provider offers customers a means to self-enable Riva to use SSO for Salesforce. This hosted service supports customers with public internet access who use:

  • Exchange Web Services (EWS) 2007 or 2010 - on-premise or hosted
  • Salesforce: Professional, Enterprise or Unlimited subscriptions

How to Prepare for the Hosted Riva SSO Provider

Steps to prepare for the Hosted Riva SSO Provider for Salesforce:

  1. Prepare the Windows system requirements
  2. Prepare Exchange target users
  3. Prepare Salesforce for SSO

Windows system requirements

Prepare Exchange target users

Riva SSO for Salesforce has different username-matching requirements for on-premise Exchange versus hosted Exchange. Ensure that the usernames for the target user accounts in Exchange match the usernames for the corresponding target users in Salesforce:

  • For On-Premise Target Exchange Systems: Salesforce usernames must match the UPN of the Exchange target users. If the Active Directory domain uses a domain name (e.g. mycompany.local) that is different than the SMTP email domain name (e.g., there will not be a match and Riva will not be able to match the Exchange target user to the Salesforce target user. In those circumstances the email domain name suffix can be added to the Active Directory domain – see this TechNet article to add UPN domain suffixes for instructions to configure UPN suffixes to match email domain name(s) if necessary.

  • For Hosted Target Exchange Systems: Salesforce usernames must match the user's primary SMTP email address.

Prepare Salesforce for SSO

These steps will enable Single Sign-On in a Salesforce organization. If a company uses multiple Salesforce organizations, these steps must be repeated for each organization. To prepare and enable a Salesforce organization for SSO:

  1. Activate the “Delegated Authentication Single Sign-On” (DA-SSO) feature.

  2. Configure a “Network Trust” for the hosted Riva SSO Provider.

  3. Configure a "Network Trust" for the Riva server.

  4. Modify the Salesforce "System Administrator" user profile to support administering SSO-enabled target users.

  5. Prepare SSO-enabled User Profiles / Permissions Sets. Required for Salesforce Enterprise and Unlimited organizations.

Note: Do not add target users at this time. For Salesforce Professional organizations, all users (except system administrators) will be automatically enabled for SSO as soon as the Delegated Gateway URL is specified).

Was this article helpful?




Article is closed for comments.